Thursday, May 17, 2012

Buyer's Guide to Full Disk Encryption

When a corporate laptop goes missing, do you worry about the risk of a
data breach? There is good reason for concern: According to recent
research by Symantec, 34 percent of data breaches are the result of lost or stolen devices such as laptops.
The good news is that this is a preventable issue. A Full Disk
Encryption (FDE) solution can ensure that sensitive information isn't
exposed in the event that one of your organization's laptops is lost or
stolen.How It Works
As the name suggests, FDE solutions work by encrypting a system's
entire hard drive – including the operating system and all applications
and data stored on it. When the system is started, the user is prompted
for the encryption key, which enables the system to boot and run
normally. As information is read from the disk, it is decrypted on the
fly and stored in memory – and any information written to the disk is
also encrypted on the fly. Without the encryption key, the data stored
on the disk remains inaccessible to thieves and hackers.
FDE differs from File-Level Encryption (FLE) in that it secures all
data stored on your hard drives automatically and transparently –
including swap files and hidden files that may contain confidential data
– without any user intervention. In contrast, FLE only protects
specific files that are manually encrypted, and generally depends on the
user to perform some action to ensure that files are encrypted before
storage.
One drawback of FDE is that it does nothing to protect files "in
motion." Once a file is sent via email or copied to a memory stick, it
is no longer encrypted. For that reason, you may want to consider
deploying FLE in conjunction with FDE, so that users have the option to
manually encrypt files that need to be shared with others.
Most FDE products allow administrators to enable users to provide the
encryption key for a system at the pre-boot stage in several ways:

in the form of a password or passphrase;

by inserting a USB drive containing the key;

using a one-time password generating device such as an RSA token;

using some biometric device such as a fingerprint reader (usually connected to a Trusted Platform Module which holds the actual encryption key.)

With many systems, administrators can also specify more than one
authentication method, thereby creating a two factor authentication
system.
Modern encryption algorithms, when implemented in a Federal
Information Processing Standard (FIPS) 140 compliant manner, make it
impractical – effectively impossible – for anyone to decrypt data on a
drive using FDE without the key. That means that if a user loses or
forgets their passphrase, the data on the encrypted drive will be
permanently inaccessible unless the encryption part of the FDE product
works with a key management system which enables key retrieval – either
through a self service system or via a help desk.
FDE systems involve some processor (and therefore power) overhead to
carry out the on-the-fly encryption and decryption, and the impact of
this depends on the amount of disk I/O that individual applications
demand. For users carrying out typical email and office productivity
activities, the performance impact is unlikely to be noticeable – but it
can be significant for very data-intensive activities such as video
processing, unless the computer's main processor and the FDE product
both support Intel's AES-NI instructions for hardware accelerated
encryption and decryption.Vulnerability to Attack
No security system is 100 percent secure, and FDE systems can be vulnerable to various attacks including:

Accessing the encryption key. When users store a USB drive
containing the encryption key along with a computer, accessing the
encryption key becomes trivial for a thief. Users can also be fooled
into revealing their password through social engineering.

Theft of the laptop while it is running. FDE only protects
data when the computer is turned off. That means that if a laptop is
stolen while it is running but unattended (or while the user is
distracted) the data will be fully accessible to the thief.

Advanced in-memory techniques. FDE systems require that the
encryption keys are held in memory while the system is running. Since
the contents of DRAM chips persists for a period of seconds to minutes
after a system is shut down, (and this time period can be extended by
chilling the DRAM with canned air), it is possible to cut the power to a
laptop that has been left unattended and boot it from a memory stick or
CD into another operating system and read (and save) the contents of
the DRAM. The key can then be extracted from this data and used in a
subsequent attack.

It's also worth noting that some software applications place
information on the main drive's boot sector, and this can get
overwritten by FDE systems, causing them to stop working.Overview of Leading Full Disk Encryption Products
Key things to look for when evaluating a FDE purchase are:

Operating system support

Authentication methods

Key management systems and recovery options

FIPS-140 compliant encryption modules

Support for Intel AES-NI instructions

Here's an overview of some of the leading FDE vendors:Check Point Full Disk Encryption.
Check Point's FDE product works with Windows, Linux, and OS X.
Multi-factor authentication options, such as certificate-based
Smartcards and dynamic tokens, are supported.
The FDE system can be centrally managed by Check Point's Endpoint
Policy Management Software Blade, enabling central policy
administration, enforcement, and logging from a single console. Remote
password change and one-time login remote help options are available for
users who may have forgotten their passwords or lost access tokens.McAfee Endpoint Encryption.
Available for Windows and OS X, McAfee's Endpoint Encryption product
provides full-disk encryption with support for AES-NI hardware
acceleration.
McAfee ePolicy Orchestrator (ePO) management infrastructure provides
centralized deployment, management, shared policy administration,
password recovery, monitoring, reporting, auditing, and proof of
protection. Access control includes two- and three-factor, pre-boot
authentication.Microsoft BitLocker Drive Encryption.
BitLocker is included in the Ultimate and Enterprise versions of
Windows 7, but not in the lower end versions. Once BitLocker is turned
on, all files saved to the internal hard drive are encrypted
automatically. It can also be used to encrypt external storage devices
such as USB drives, using a feature called BitLocker To Go.
BitLocker can use an enterprise's existing Active Directory Domain
Services (AD DS) infrastructure to remotely store recovery keys. The
system provides a wizard for setup and management, as well as
extensibility and manageability through a Windows Management
Instrumentation (WMI) interface with scripting support. BitLocker also
has a recovery console integrated into the early boot process to enable
the user or helpdesk personnel to regain access to a locked computer.Sophos SafeGuard Enterprise.
Sophos's FDE product is available for Windows and OS X, and supports
AES-NI instructions. It supports pre-boot user authentication with a
password, token, smartcard, biometrics or key ring, as well as corporate
Single Sign On (SSO) systems. Sophos' key management system provides
recovery options for keys, data and forgotten passwords.Symantec PGP Whole Disk Encryption.
Available for Windows, OS X, and Linux systems, Symantec's PGP Whole
Disk Encryption supports AES-NI instructions in all three operating
systems when available. Users can authenticate using smart card, Trusted
Platform Module (TPM), or passphrase.
Protected systems can be centrally managed by Symantec's PGP
Universal Server – simplifying deployment, policy creation, key
management, and reporting. Passphrase and machine recovery options
include local self-recovery with question and answer authentication, and
one-time-use tokens.TrueCrypt.
This free, open-source full disk encryption software is available for
Windows, OS X, and Linux. It also supports AES-NI instructions.
TrueCrypt's main benefit is that it is free, which may be appealing
to owners of very small businesses. However, it includes no key
management system, so if a passphrase gets forgotten then there is no
way to decrypt and access a drive. This shortcoming makes it unsuitable
for use in anything but very small implementations.WinMagic SecureDoc Disk Encryption.
WinMagic's software provides FDE for Windows, OS X, and Linux. Pre-boot
authentication is carried out using password, tokens, smartcards,
biometrics and SSO systems.
SecureDoc is available in a standalone version, or as part of a
centrally-managed whole disk encryption solution deployed from SecureDoc
Enterprise Server (SES). SES provides a console that enables the
configuration of users, groups, and profiles as well as key management,
with integration with Active Directory.
Key management with SecureDoc is achieved using an encrypted database
to store/escrow all keys for encrypted endpoints managed by SES. In the
event of lost tokens or forgotten passwords, self-help and/or
helpdesk-based challenge-response options enable password recovery.